Click here to close now.

Welcome!

Security Authors: Elizabeth White, Liz McMillan, Pat Romanski, Vormetric Blog, Brad Thies

Related Topics: Cloud Expo, Java, SOA & WOA, Virtualization, Web 2.0, Security

Cloud Expo: Article

Software as a Service (SaaS), Security and Risk Management: Part 1

A SaaS Security roadmap

As cloud computing technologies and offerings mature and evolve in its services to customers, one common consumer use will be that of the Software as a Service (SaaS) model.

My earlier articles have touched on the various models, risks, security and forensics at several levels. There is also a plethora of resources available now that end users can educate themselves with that are freely available online.

This article will focus on aspects of security that impact the SaaS environment as developed, presented or augmented by me for several Cloud Computing projects.

Before we proceed in the subject matter, a brief clarification of what I refer to as the cloud follows. Keep in mind that this term "cloud computing" is now being used to describe a broad range of services to include product descriptors that sits outside the common definition of the cloud.

For ease of reference I will refer to the National Institute of Standards and Technology (NIST) [1] definition of which the following is a part. "Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

Over the years since the concept of Cloud Computing evolved we have seen an accepted concept of the "Cloud Computing Stack", with its three distinct categories: Software as a Service, Platform as a Service and Infrastructure as a Service; where the IaaS Is the platform upon which PaaS rests and which is turn has SaaS rests moving up from IaaS to SaaS.

It is important to keep this basic stack in mind as the building blocks of the Cloud Computing system and not get distracted by all the "as a Service" spring up across markets as we proceed with this article.

As we move more and more services into the Cloud ecosystem, there will always be concerns regarding security. However a prescriptive combination of both preventive and detective controls at those data centers housing the IaaS ecosystem is on the path to security compliance and event mitigation. These controls, as a step toward better cloud computing security should be assessed and assured to meet industry tested security controls, as well as regulatory and policy requirements. The same format can be modified and applied up the stack to the PaaS segment.

However it is at the SaaS layer that we can perceive additional challenges with cloud security. One critical area of concern stems from the potential risk that a client's data can be exposed to as it is stored within the storage system of its SaaS provider. This risk can potentially increase in the event of the SaaS provider in turn utilizing the services of a third party IaaS provider.

While effective data center security controls are good for inside a data center, web-services or applications outside this area are a growing target for application layer type attacks. This can lead to the loss of critical to sensitive customer data as well as intellectual property and other corporate data.

A challenge for the IT security professional here is how to implement a level of protection that meets IT Security control requirements as well as ensures compliance with information security regulations, E.g. PCI-DSS in the case of transactions via web services.

In both the traditional environments and cloud services infrastructure environments, we have firewalls tweaked and configured with rulebase automation as a best practice. However in the dynamic cloud environment I believe that having to manage firewall signatures for example, amongst other issues could be challenging and counter-productive.

Essentially we would need to implement security in a layered approach which should include the network, servers, databases and coding, augmented by a system that should have a defined security process based on the SaaS environment and its functionality. This should be an additive measure to augment other monitoring and logging systems deployed to secure this environment.

This system should also have the ability to implement tools that will be able to dynamically learn the behavior of an application supported by an automated mechanism, thus removing the need for signatures in the case of firewall systems as mentioned earlier.

Within the SaaS environment we need to ensure adequate security in input validation by SaaS end users, effective user authentication and authorization, proper data segregation with security encapsulation for data in motion using SSL (3.0 or above) or TLS (1.0 above), effective software patching policies and procedures by the SaaS provider working with its software vendors as well as a key generation strategy.

(While SSL/TLS is encryption for data in motion between a Web Server and a browser is a good practice, administrators should disable weak algorithms and ciphers residing on the Web Server).

There must also be assurance for uptime or availability that is formalized in a Service Level Agreement (SLA). Impact on environments supporting the SaaS ecosystem can be attacks impacting Network Security as well as the process for Backup and Recovery.

Researchers Bhadauria and Sanyal [1] stated "Two types of servers are used by SaaS: the Main Consistence Server (MCS) and Domain Consistence Server (DCS). Cache coherence is achieved by the cooperation between MCS and DCS. In SaaS, if the MCS is damaged, or compromised, the control over the cloud environment is lost. Hence securing the MCS is of great importance."

Another concern within this ecosystem is that of cross site scripting attacks that targets Asynchronous JavaScript and XML- AJAX [2].A best practice here would be to have a policy that ensures that all calls are verified with the Web Server and Service to ensure proper authentication and authorization before allowing the request.

Moving away a bit from the technology of security in this environment, Cloud Computing and SaaS on a whole was in its infancy and in some circles denounced as a viable IT service (no names called here, but a tech company leader specializing in databases and now cloud products comes to mind).

In terms of regulations that impact web services and by extension SaaS, we can reference the Gramm-Leach-Bliley Act (GLBA) [3] passed in 1999, Sarbanes-Oxley Act (SOX) in 2002 [4], and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule of 2003[5]. All three of these regulations, although important in their relative environments (e.g. Customer Relationship Management (CRM), Enterprise Resource Planning (ERP), Intellectual Property systems (IPS) and Human Resources Systems), were not crafted to include elements of a SaaS environment then.

As a result there needs to be finite and focused addendums or improvement to these acts as was in the case of SAS 70 to SSAE 16 to meet this technological evolution.

Of importance is that, despite the security measures and attestations provided by a SaaS provider to assure a client of their security controls or compensating controls and compliance processes in place to meet regulatory and security standards; it is still the responsibility of a data owner to maintain industry regulated requirements to comply with confidentiality, integrity, non-repudiation and security control over sensitive to critical information.

So the challenge here is to ensure that a cloud client requirement (Security Policy, Strategy, Data Provenance, Operational and End-User Security) is part of the discussion with the cloud provider and most if not all requirements mirror.

The designation of data classification is part of another topic and should be the influenced by the result of risk impact and gap analysis.

As a closing point the value of vulnerability assessments and penetration tests within the SaaS environment is an important tool for an independent set of eyes to present information that a potential attacker will find and use against the SaaS. This is not only related to technology as is well known due to the rise of social engineering.

References

[1] A Survey on Security Issues in Cloud Computing www.ijcaonline.org › Archives › Volume 47 › Number 18, Rohit Bhadauria; Sugata Sanyal, 2012

[2] Jesse James Garrett (18 February 2005). "Ajax: A New Approach to Web Applications". AdaptivePath.com.

[3] http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act

[4] http://www.sec.gov/info/smallbus/404guide/intro.shtml

[5] http://www.hhs.gov/ocr/privacy/

More Stories By Jon Shende

Jon RG Shende is an executive with over 18 years of industry experience. He commenced his career, in the medical arena, then moved into the Oil and Gas environment where he was introduced to SCADA and network technologies,also becoming certified in Industrial Pump and Valve repairs. Jon gained global experience over his career working within several verticals to include pharma, medical sales and marketing services as well as within the technology services environment, eventually becoming the youngest VP of an international enterprise. He is a graduate of the University of Oxford, holds a Masters certificate in Business Administration, as well as an MSc in IT Security, specializing in Computer Crime and Forensics with a thesis on security in the Cloud. Jon, well versed with the technology startup and mid sized venture ecosystems, has contributed at the C and Senior Director level for former clients. As an IT Security Executive, Jon has experience with Virtualization,Strategy, Governance,Risk Management, Continuity and Compliance. He was an early adopter of web-services, web-based tools and successfully beta tested a remote assistance and support software for a major telecom. Within the realm of sales, marketing and business development, Jon earned commendations for turnaround strategies within the services and pharma industry. For one pharma contract he was responsibe for bringing low performing districts up to number 1 rankings for consecutive quarters; as well as outperforming quotas from 125% up to 314%. Part of this was achieved by working closely with sales and marketing teams to ensure message and product placement were on point. Professionally he is a Fellow of the BCS Chartered Institute for IT, an HITRUST Certified CSF Practitioner and holds the CITP and CRISC certifications.Jon Shende currently works as a Senior Director for a CSP. A recognised thought Leader, Jon has been invited to speak for the SANs Institute, has spoken at Cloud Expo in New York as well as sat on a panel at Cloud Expo Santa Clara, and has been an Ernst and Young CPE conference speaker. His personal blog is located at http://jonshende.blogspot.com/view/magazine "We are what we repeatedly do. Excellence, therefore, is not an act, but a habit."

@ThingsExpo Stories
Dale Kim is the Director of Industry Solutions at MapR. His background includes a variety of technical and management roles at information technology companies. While his experience includes work with relational databases, much of his career pertains to non-relational data in the areas of search, content management, and NoSQL, and includes senior roles in technical marketing, sales engineering, and support engineering. Dale holds an MBA from Santa Clara University, and a BA in Computer Science from the University of California, Berkeley.
The cloud is now a fact of life but generating recurring revenues that are driven by solutions and services on a consumption model have been hard to implement, until now. In their session at 16th Cloud Expo, Ermanno Bonifazi, CEO & Founder of Solgenia, and Ian Khan, Global Strategic Positioning & Brand Manager at Solgenia, will discuss how a top European telco has leveraged the innovative recurring revenue generating capability of the consumption cloud to enable a unique cloud monetization model to drive results.
As organizations shift toward IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. CommVault can ensure protection &E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his session at 16th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Partnerships, will discuss how to cut costs, scale easily, and unleash insight with CommVault Simpana software, the only si...
Analytics is the foundation of smart data and now, with the ability to run Hadoop directly on smart storage systems like Cloudian HyperStore, enterprises will gain huge business advantages in terms of scalability, efficiency and cost savings as they move closer to realizing the potential of the Internet of Things. In his session at 16th Cloud Expo, Paul Turner, technology evangelist and CMO at Cloudian, Inc., will discuss the revolutionary notion that the storage world is transitioning from mere Big Data to smart data. He will argue that today’s hybrid cloud storage solutions, with commodity...
Every innovation or invention was originally a daydream. You like to imagine a “what-if” scenario. And with all the attention being paid to the so-called Internet of Things (IoT) you don’t have to stretch the imagination too much to see how this may impact commercial and homeowners insurance. We’re beyond the point of accepting this as a leap of faith. The groundwork is laid. Now it’s just a matter of time. We can thank the inventors of smart thermostats for developing a practical business application that everyone can relate to. Gone are the salad days of smart home apps, the early chalkb...
Cloud data governance was previously an avoided function when cloud deployments were relatively small. With the rapid adoption in public cloud – both rogue and sanctioned, it’s not uncommon to find regulated data dumped into public cloud and unprotected. This is why enterprises and cloud providers alike need to embrace a cloud data governance function and map policies, processes and technology controls accordingly. In her session at 15th Cloud Expo, Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems, will focus on how to set up a cloud data governance program and s...
Roberto Medrano, Executive Vice President at SOA Software, had reached 30,000 page views on his home page - http://RobertoMedrano.SYS-CON.com/ - on the SYS-CON family of online magazines, which includes Cloud Computing Journal, Internet of Things Journal, Big Data Journal, and SOA World Magazine. He is a recognized executive in the information technology fields of SOA, internet security, governance, and compliance. He has extensive experience with both start-ups and large companies, having been involved at the beginning of four IT industries: EDA, Open Systems, Computer Security and now SOA.
The industrial software market has treated data with the mentality of “collect everything now, worry about how to use it later.” We now find ourselves buried in data, with the pervasive connectivity of the (Industrial) Internet of Things only piling on more numbers. There’s too much data and not enough information. In his session at @ThingsExpo, Bob Gates, Global Marketing Director, GE’s Intelligent Platforms business, to discuss how realizing the power of IoT, software developers are now focused on understanding how industrial data can create intelligence for industrial operations. Imagine ...
We certainly live in interesting technological times. And no more interesting than the current competing IoT standards for connectivity. Various standards bodies, approaches, and ecosystems are vying for mindshare and positioning for a competitive edge. It is clear that when the dust settles, we will have new protocols, evolved protocols, that will change the way we interact with devices and infrastructure. We will also have evolved web protocols, like HTTP/2, that will be changing the very core of our infrastructures. At the same time, we have old approaches made new again like micro-services...
Operational Hadoop and the Lambda Architecture for Streaming Data Apache Hadoop is emerging as a distributed platform for handling large and fast incoming streams of data. Predictive maintenance, supply chain optimization, and Internet-of-Things analysis are examples where Hadoop provides the scalable storage, processing, and analytics platform to gain meaningful insights from granular data that is typically only valuable from a large-scale, aggregate view. One architecture useful for capturing and analyzing streaming data is the Lambda Architecture, representing a model of how to analyze rea...
Today’s enterprise is being driven by disruptive competitive and human capital requirements to provide enterprise application access through not only desktops, but also mobile devices. To retrofit existing programs across all these devices using traditional programming methods is very costly and time consuming – often prohibitively so. In his session at @ThingsExpo, Jesse Shiah, CEO, President, and Co-Founder of AgilePoint Inc., discussed how you can create applications that run on all mobile devices as well as laptops and desktops using a visual drag-and-drop application – and eForms-buildi...
SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.
SYS-CON Events announced today that Dyn, the worldwide leader in Internet Performance, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Through a world-class network and unrivaled, objective intelligence into Internet conditions, Dyn ensures traffic gets delivered faster, safer, and more reliably than ever.
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
CommVault has announced that top industry technology visionaries have joined its leadership team. The addition of leaders from companies such as Oracle, SAP, Microsoft, Cisco, PwC and EMC signals the continuation of CommVault Next, the company's business transformation for sales, go-to-market strategies, pricing and packaging and technology innovation. The company also announced that it had realigned its structure to create business units to more directly match how customers evaluate, deploy, operate, and purchase technology.
In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect at GE, and Ibrahim Gokcen, who leads GE's advanced IoT analytics, focused on the Internet of Things / Industrial Internet and how to make it operational for business end-users. Learn about the challenges posed by machine and sensor data and how to marry it with enterprise data. They also discussed the tips and tricks to provide the Industrial Internet as an end-user consumable service using Big Data Analytics and Industrial Cloud.
Performance is the intersection of power, agility, control, and choice. If you value performance, and more specifically consistent performance, you need to look beyond simple virtualized compute. Many factors need to be considered to create a truly performant environment. In his General Session at 15th Cloud Expo, Harold Hannon, Sr. Software Architect at SoftLayer, discussed how to take advantage of a multitude of compute options and platform features to make cloud the cornerstone of your online presence.
The explosion of connected devices / sensors is creating an ever-expanding set of new and valuable data. In parallel the emerging capability of Big Data technologies to store, access, analyze, and react to this data is producing changes in business models under the umbrella of the Internet of Things (IoT). In particular within the Insurance industry, IoT appears positioned to enable deep changes by altering relationships between insurers, distributors, and the insured. In his session at @ThingsExpo, Michael Sick, a Senior Manager and Big Data Architect within Ernst and Young's Financial Servi...
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
IoT is still a vague buzzword for many people. In his session at @ThingsExpo, Mike Kavis, Vice President & Principal Cloud Architect at Cloud Technology Partners, discussed the business value of IoT that goes far beyond the general public's perception that IoT is all about wearables and home consumer services. He also discussed how IoT is perceived by investors and how venture capitalist access this space. Other topics discussed were barriers to success, what is new, what is old, and what the future may hold. Mike Kavis is Vice President & Principal Cloud Architect at Cloud Technology Pa...